Vault on DCOS
APACHE-2.0 License
This is an example of how to run HashiCorp's Vault on DC/OS. By default, it's configured in HA mode with ZooKeeper as the backend.
Save the following JSON as vault.json
:
{
"id": "vault",
"cpus": 1,
"mem": 1000,
"ports":[8200],
"requirePorts":true,
"instances": 1,
"container": {
"type": "DOCKER",
"docker": {
"image": "brndnmtthws/vault-dcos",
"network": "HOST",
"forcePullImage": true
}
},
"healthChecks": [{
"protocol": "TCP",
"portIndex": 0,
"timeoutSeconds": 10,
"gracePeriodSeconds": 10,
"intervalSeconds": 2,
"maxConsecutiveFailures": 10
}]
}
Now launch on Marathon:
$ dcos marathon app add vault.json
Note: you may configure some parameters via environment variables, from the wrapper script run-vault
. You may set the following environment variables:
SSH into one of the DC/OS cluster nodes, and initialize the vault with the following:
$ docker run -e "VAULT_SKIP_VERIFY=true" -e "VAULT_ADDR=https://vault.marathon.mesos:8200" --entrypoint=vault -t brndnmtthws/vault-dcos init
Key 1: 62b6e5c157446c05c067bb41fadf931fd8f422f4af2a4c0ee056acbd5a89d3ed01
Key 2: a065dbfd663c5a619bfdc74ebce68051f9e7004d19c67bc6726daf49e209d4ea02
Key 3: 91e97d22436508a67905e535f636bb3e4550a8ad77b9f69da43717baa4012b5b03
Key 4: dcef79c03925db47c8494decfe959be39079ac987ac774fc5fb7148528dcb33a04
Key 5: ed63df1f1c7c89802ab16f97b445a08c2cce047814b8f9a789edac766ed44c8b05
Initial Root Token: 11aaf733-f280-fbaf-251d-69b9606bf4fa
Vault initialized with 5 keys and a key threshold of 3. Please
securely distribute the above keys. When the Vault is re-sealed,
restarted, or stopped, you must provide at least 3 of these keys
to unseal it again.
Vault does not store the master key. Without at least 3 keys,
your Vault will remain permanently sealed.
After, check to make sure it was properly initialized:
$ docker run -e "VAULT_SKIP_VERIFY=true" -e "VAULT_ADDR=https://vault.marathon.mesos:8200" --entrypoint=vault -t brndnmtthws/vault-dcos status
Sealed: true
Key Shares: 5
Key Threshold: 3
Unseal Progress: 0
High-Availability Enabled: true
Mode: sealed
Repeat the following command 3 times, pasting a separate key each time:
$ docker run -i -e "VAULT_SKIP_VERIFY=true" -e "VAULT_ADDR=https://vault.marathon.mesos:8200" --entrypoint=vault -t brndnmtthws/vault-dcos unseal
Key (will be hidden):
Sealed: true
Key Shares: 5
Key Threshold: 3
Unseal Progress: 1
Once it says Sealed: false
, your vault is unsealed.
Note: You'll have to run the command above with each key for each instance of Vault you're running. For example, if you run 3 instances (in HA mode), you'll have to repeatedly run the command and enter each key 3 times to unseal all 3 Vault instances. That's a total of 9 commands, if you're counting.
Run an interactive shell to test your vault:
$ docker run -i -e "VAULT_SKIP_VERIFY=true" -e "VAULT_ADDR=https://vault.marathon.mesos:8200" --entrypoint=/bin/sh -t brndnmtthws/vault-dcos
$ vault auth 11aaf733-f280-fbaf-251d-69b9606bf4fa # use root token from init
Successfully authenticated!
token: 11aaf733-f280-fbaf-251d-69b9606bf4fa
token_duration: 0
token_policies: [root]
$ vault token-create
Key Value
token d72b4cc0-a0a2-9be8-7c69-8fde5fe8bbe5
token_duration 0
token_renewable false
token_policies [root]
$ vault write secret/hello value=world
Success! Data written to: secret/hello
$ vault read secret/hello
Key Value
lease_duration 2592000
value world
For more examples, take a look at the Vault getting started guide.
After you get Vault up and running, you may want to consider running multiple instances, and enabling discovery via marathon-lb.